Cross-site scripting (XSS) attacks aren’t new. They have been around for over twenty years and have penetrated the defenses of major sites like Google, Facebook and even Yahoo. The goal of a cross-site scripting attack can be to steal data, control a session of a user, or as one part of a larger phishing scam. In order to be successful in these goals, hackers use different types of attacks.
Any site that accepts data from an outside user is vulnerable to a XSS attack, but some specific ways your site may be vulnerable include Ajax, images, password issues, title tags, style tags, and misconceptions regarding termination of a HTML string.
[Suggested reading: Is Hacking an Inside Job?]
1. Ajax
Ajax is the term used for code that combines Java Script and XML. It introduces subtle exploitation of your website. Ajax is complex and offer multiple variations of ways users can interact with a site. The way that hackers infiltrate a site that uses Ajax is subtle as well and difficult to detect. If your site uses Ajax, you may be vulnerable to XSS attacks, and may have even been victim of a hacker without realizing it.
2. Images
Inserting images into different locations on your site may make it vulnerable to XSS. There are several different aspects where this vulnerability can occur. Image tags, JavaScript code inserted into the tag, and the code used to insert an image onto a site are just some of the ways you can leave your site open to cross-site attack. When using images for your website, you need to take steps to close any vulnerability that can leave you exposed.
3. Cross-Site
This most basic type of attack is just a useful to hackers now as it was in the 1990’s when hackers first discovered and used these vulnerabilities on unsuspecting websites. This vulnerability allows a hacker to inject code because the website accepts information from a location other than the server with the same level of acceptance as if it was the server.
[Recommended reading: Is Getting Hacked Ever A Good Thing?]
4. Password Issues
When users are able to create their own passwords, they often leave sites open to attack. That is because most users don’t understand how to create a secure password. Often, the phrases they create leave openings for hackers to interject code and hijack the password and thus gain access to the website as if he or she was the user.
5. HTML String
There is a misconception created when coding that when a HTML string is used it needs a specific character to end the string. That character is usually a “;”, and if it is absent in a website, the program may not understand that the code is complete. Hackers can take advantage of this by adding their code into the HTML string and gain access.
6. Title Tags
When JavaScript is used in title tags, they can leave the site vulnerable to attack. Unless the website owner closes this vulnerability a malicious person can use to their advantage. Website owners need to be careful when creating title tags.
7. Style Tags
As with title tags, style tags with JavaScript can also create issues for a website that can be used to interject malicious code.
When creating a website, webmasters and programmers need to be aware of the potential vulnerabilities for cross-site attacks and know how to prevent it. Tags, images, passwords, HTML strings, and Ajax can make put a site at risk for XSS but there are other potential vulnerabilities as well. By eliminating these issues, either during programming or after launch, will help to make your website more secure.
[Recommended reading: Security and Penetration Testing – A Case Study]
About the Author: Fergal Glynn is the Director of Product Marketing for ways to prevent XSS with Veracode.com, an award-winning application security company specializing in secure SDLC and other security breaches with effective risk assessment tools.
[Image via siliconrepublic.com]
Hey mate,!
Yeah XSS Attacks are really harmful as of current ethical hacking world@
Thanks for you guide!
Whoops so many type of attacks. My website has been facing several Brute force attacks in the past few weeks, so I was looking for ways through which I can secure my website and then you came up with this. Now I need to work for a few more hours to ensure it’s security. :p
Great Article Peter. Loved it and as always very informative. Cheers 🙂
Seems like if it’s not one security vulnerability thing it’s another these days. I try to keep my stuff up-to-date as much as possible, but ultimately I can only assume that the software, plugin, modification, etc. knows what they are doing. I don’t have a lot of faith in everything out there though.
I know there are a lot sites at risk that don’t even realize it until something happens. Which is when backups can come in handy too.
People can just take over a site in so many ways and that’s really scary.
Hi Fergal and Peter !
The main reason for XSS attacks is the website itself . If a website has been poorly coded then it is 100% vulnerable to XSS attacks . To prevent such attacks , we should make use of appropriate string parsing functions that will filter out pure requests from the codes /commands inserted in the Http request which can trigger such attacks .Thanks for sharing the information
-Pramod
Not everyone knows how to prevent XSS attack though it’s too technical don’t you think so, Pramod? I mean, all the codings are just not for any ordinary guy it’s hard!
Solid points. Injection is one of the oldest and simplest things hackers do and it continues to work for them. This is one reason that I have reservations about people just learning to code quickly (via online classes, easy how to books) and thinking they can build a site that has a lot of features in a few weeks. Doing so opens yourself up to vulnerabilities as you don’t have in depth understanding of the inner workings.